Briefing
A sophisticated phishing campaign successfully compromised a 2-of-4 Safe multi-signature wallet, leading to the unauthorized transfer of $3.047 million in USDC. The attacker leveraged a meticulously crafted, fake Etherscan-verified contract to obscure malicious approval requests within seemingly legitimate Safe Multi Send transactions. This incident underscores a critical evolution in social engineering tactics, targeting the inherent trust in verified contract interfaces and multi-signature operational flows. The immediate consequence involved the swift exfiltration of funds, which were subsequently converted to Ethereum and routed through a privacy protocol, complicating recovery efforts.
Context
Prior to this incident, the digital asset landscape observed a persistent threat from phishing, often targeting individual users through direct wallet connection requests or malicious links. This attack represents an escalation, moving beyond basic impersonation to exploit the perceived legitimacy of Etherscan verification and the complexity of multi-signature transaction bundling. The prevailing attack surface included user vigilance against transaction details and the implicit trust placed in established on-chain verification mechanisms.
Analysis
The attack vector involved a multi-stage social engineering exploit targeting the victim’s multi-signature wallet and interaction with the Request Finance app. The attacker deployed a counterfeit, Etherscan-verified contract nearly two weeks in advance, pre-programming it with multiple “batch payment” functions to appear legitimate. On the day of the exploit, a malicious approval was executed through the Request Finance app interface.
This approval was artfully disguised within the Safe Multi Send mechanism, allowing the attacker to bypass standard scrutiny by mimicking the first and last characters of a legitimate recipient address. This chain of events enabled the attacker to gain unauthorized access to and drain the victim’s USDC holdings.
Parameters
- Targeted Protocol/Wallet → 2-of-4 Safe multi-signature wallet
- Vulnerability Type → Sophisticated phishing via fake Etherscan-verified contract and Safe Multi Send exploit
- Financial Impact → $3.047 Million USDC
- Blockchain(s) Affected → Ethereum
- Attack Date → September 11, 2025
- Funds Destination → Ethereum, then Tornado Cash
- Leveraged Interface → Request Finance app
Outlook
Immediate mitigation for users involves heightened scrutiny of all transaction approval requests, particularly those involving batch operations or interactions with third-party interfaces. Protocols must enhance their front-end security to detect and flag interactions with known malicious or mimicked contract addresses. This incident will likely establish new best practices for contract verification processes and necessitate more robust client-side transaction simulation tools to expose hidden malicious payloads. The contagion risk extends to any protocol or user relying on similar multi-send mechanisms without rigorous transaction content validation.
Verdict
This incident serves as a critical warning, emphasizing the escalating sophistication of social engineering attacks that exploit trust in verified on-chain identities and complex transaction structures.
Signal Acquired from → cryptoslate.com
